© 



Europaisches Patentamt 
European Patent Office 
Office europeen des brevets 



© Publication number: 



0 674 440 A2 



© Application number: 95103794.4 
© Date of filing: 16.03.95 



EUROPEAN PATENT APPLICATION 

© int. OA H04N 7/167 



® Priority: 21.03.94 Fl 941316 


© Applicant: NOKIA TECHNOLOGY GmbH 
Ostllche Karl-Friedrich-Strasse 132 


© Date of publication of application: 


D-751 75 Pforzheim (DE) 


27.09.95 Bulletin 95/39 




® Designated Contracting States: 


© Inventor: Kangas, Mauri 


Sporentie 21 


DE FR GB IT 


SF-21530Paimlo (Fl) 



© A process for encryption and decryption of a bit stream containing digital information. 



© According to the invention digital video, audio 
and data information can be encrypted according to 
the MPEG-2 standard either by encrypting the PES 
packets with an accuracy of a bit or a byte, or by 
encrypting the transport stream packet with block 
encryption. Both encryptions can be used in com- 
bination. The decryption device in a receiver iden- 
tifies from the transport stream packet header on 
which level the encryption is made at the transmit- 
ting end, and controls the decryption in accordance 
with that identification. 
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The invention relates to a process for encryp- 
tion and decryption of digital video, audio and data 
signals transmitted on a transmission path. In the 
process the video, audio and data information con- 
tained in the digital bit stream is first encrypted in 
an encryption device at the transmitting end, and 
then decrypted in the receiving device. 

For the transmission of digital video, audio and 
data signals we can use transmission via air 
through a land based antenna, a satellite connec- 
tion, a cable TV network, the tele- 
phone/telecommunications network, or an optical 
cable network, through which the information is 
transmitted to a plurality of receivers. Said informa- 
tion is often intended to be freely used by all 
receivers, but on the other hand also such methods 
are needed, by which it is possible to control which 
receiver/receivers actually can receive the informa- 
tion. Thus, in the transmission of an analog video 
signal in a pay TV system and in corresponding 
systems, the subscriber selects a program which 
she/he desires, and pays for those programs which 
are transmitted as encrypted signals. In the analog 
systems the encryption can be based on shuffling 
the order of the picture lines by blocks, which are 
smaller than the picture area. The subscriber has 
obtained an encryption key against payment. In 
advanced pay TV systems it is even possible to 
buy the rights to view an encrypted program a few 
moments before the transmission starts of even 
during the transmission. Then the subscriber in 
advance has loaded electronic money in a smart 
card for instance, and if there is a balance on the 
card, then the selected encrypted program is de- 
crypted so that it can be viewed. It has also been 
proposed to use an arrangement in which a certain 
code stating the price of the program is attached to 
the transmitted program signal. The receiver com- 
pares the payment with the loaded money, and the 
program is decrypted when there is a sufficient 
balance. 

The present encryption methods used mainly 
in pay TV applications are based on the encryption 
of an analog video signal. These methods cannot 
be directly applied to future digital systems, and 
they do not utilize the characteristics of digital 
transmission. The object of pay TV operators is an 
encryption process which in the receiver of a pay- 
ing viewer produces picture and sound of good 
quality, which in other words must not corrupt the 
transmitted program. From the operators' point of 
view it is also favorable if it is possible to view the 
encrypted transmission to some degree without 
decryption. In this case the quality of the picture 
and the sound must be sufficiently good, so that 
the viewer can have an idea of this operator's 
programs, but on the other hand it must have a 
sufficiently bad quality, so that the program can not 



be viewed with pleasure. To an operator an encryp- 
ted transmission provides then a means to ad- 
vertise the operator's programs to those viewers 
who are in the same network but who have not 

5 paid to receive the program in question. 

A plurality of encryption methods are available 
when the transmitted information is in digital form 
and also contains something else than pure video 
information, as is assumed below. When we wish 

10 to control which receiver or receivers actually can 
receive the transmitted digital information, then 
there are basically two lines of action: 

a) the digital information is transmitted accord- 
ing to a predetermined plan, whereby each re- 

15 ceiver can express his/her desire to receive that 
information prior to the transmission or during it; 

b) the digital information is transmitted only 
when any receiver expresses his/her desire to 
receive this information. 

20 In the latter case also other than that individual who 
ordered can be allowed to receive this information, 
whereby these other receivers can already earlier 
have obtained the authorization to receive this 
transmission, or they can order it during the trans- 

25 mission. As it is desirable to prevent unauthorized 
receiving of the signal in such digital signal trans- 
mission, the transmitted bit stream is transformed 
into a form for which the receivers have no pos- 
sibility to disentangle the data contents if they do 

30 not have the keys required for data decryption. 

Generally there are many methods available for 
the encryption of a digital bit stream, and in order 
to make impossible an unauthorized attempt to 
decrypt the data when the system has been com- 

35 missioned, it is desirable to have an encryption 
system which is as complicated and as secure as 
possible. In order to maximize the security it is 
advisable to use a so called block encryption al- 
gorithm whenever it is technically feasible. The 

40 algorithm will divide into blocks the data stream to 
be encrypted, which could comprise only a section 
of the total data stream. The block size could be 
e.g. 8 bytes, and the encryption is made in one 
operation for the whole block. In such cases where 

45 it is cumbersome to divide the data information into 
desired blocks, it is however possible to use a so 
called PRBS generator (Pseudo-Random Bit Se- 
quence), whereby the data section to be encrypted 
can have any number of bytes, even a precision of 

so one bit could be achieved when needed. If we want 
to guarantee the algorithm's security against un- 
authorized decryption attempts it is advisable to 
combine two of the above mentioned algorithms. 
Regarding the block encryption algorithm the most 

55 straightforward way is to keep within the limits 
imposed by the block size. 

The transmission of an audio signal is an es- 
sential part of the transmission of a digital signal, 
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but also so called control data has to be transmit- 
ted when systems are realized. In the future It is 
also necessary to transmit so called data informa- 
tion in order to have more versatile services, 
whereby , the data information can contain almost 
any kind of information from the system's point of 
view. All these information sections must be trans- 
mitted in encrypted form, at least partly, in order to 
secure that only authorized receivers can receive 
the information. 

Future digital television systems enable simul- 
taneous transmission of several programs in one 
transmission channel. Then the transmitted signal 
is in packet form, and the transmission channel 
sequentially transports packets containing audio 
and video information of these different programs. 
One video packet usually contains information of 
several picture blocks, whereby one picture block 
can comprise e.g. 8x8 pixels, or the video data 
packet can contain picture information of so called 
macro blocks, comprising 16x16 pixels. It is also 
possible to transmit data packets which are at- 
tached to the programs. MPEG-2 (Motion Picture 
Experts Group) is a generic standard of high qual- 
ity video compression methods, with which a televi- 
sion picture can be transmitted in fewer bits than 
when the television picture is digitized directly into 
bits. 

Several compression standards have been de- 
veloped in order to transmit video, audio and data 
signals, the above mentioned MPEG-2 (Motion Pic- 
ture Experts Group) being one of these. This stan- 
dard was developed in a joint work group of ISO 
(International Standards Organization) and IEC (In- 
ternational Electrotechnical Commission). Several 
MEPG standards have been developed, and in 
future the transmission of the above mentioned 
information will be realized in many different ap- 
plications, according to the specifications defined 
by these standards. Concerning the standards we 
refer to the MPEG standard ISO/IEC 13818 known 
by persons skilled in the art. According to this 
standard the encoded video, audio and data in- 
formation is packed into so called PES packets 
(Packetized Elementary Stream). The packet will 
contain a header, and data section and the whole 
packet may have varying lengths. 

Figure 1 shows the structure of a PES packet. 
The packet header comprises the packet start code 
prefix, the stream ID, an indication of the packet 
length, an optional header, and a plurality of stuff- 
ing bytes. Then there is an information section 
containing the data bytes of the packet, and as was 
mentioned above, the information section may 
comprise a block of the program's encoded audio, 
video or data signals, but so that one packet con- 
tains a signal of one type only. The packet can 
have a length of several kilobytes. 



The MPEG standard defines two bit streams of 
different types: 1) the Program Stream, and 2) the 
Transport Stream. The program stream contains 
the encoded video and audio signal in the form of 

5 PES packets (Packetized Elementary Stream) re- 
ferred to above, each of these packets always 
containing a bit stream block of a certain size, in 
other words so that the video, audio and data 
signal of the program source is encoded separately 

70 and sliced into blocks of a certain length, each 
block being placed in the information section of the 
PES packet. The length of a block and thus the 
length of the PES packet may vary. Thus the 
program's video signal comprises sequential video- 

75 PES packets the audio signal comprises sequential 
audio-PES packets, and so on. For instance all 
information of a motion picture may be stored as a 
program stream. 

Figures 2a and 2b show how the PES packets 

20 of figure 1 are placed as packets in the program 
stream. The program stream, figure 2a, comprises 
sequential packets having a packet header and an 
information section PACK. Figure 2b showing the 
structure of one packet in the program stream, the 

25 so called packet level, illustrates how a program 
stream packet PACK contains several PES packets, 
which are numbered #1, #2, .... #n, and which may 
contain picture, sound, data etc. relating to the 
program. For the sake of clarity we can consider 

30 that the packet sequence of figure 2a represents 
e.g. one motion picture the PES packetized audio 
and video signals of which are placed in the in- 
formation sections of the program stream packets. 
The program stream ends in the "program end 

35 code". 

When a program shall be transmitted on a 
transmission link, then a so called transport stream 
is formed, which is intended for the transmission of 
audio and video signals on any transmission link, 

40 such as TV broadcasts, satellite, cable TV, tele- 
phone/telecommunications cables, optical cables, 
etc. If the program source is a recording in the 
form of a program stream, e.g. a motion picture 
recorded on a CD disk, the program stream is first 

45 demultiplexed into separate audio, video and data 
PES packets. On the other hand, if the program 
source provides audio, video and data signals, then 
these are decoded and formed into PES packets. 
Whatever the source may be, the PES packets 

so provided by the source are placed into the trans- 
port stream. 

Figures 3a and 3b show the structure of the 
transport stream. The transport stream is such that 
it comprises transport stream packets having a 

55 fixed length of e.g. 188 bytes figure 3a. A packet 
comprises a header of varying length, and a data 
section containing the useful information or pay- 
load. Figure 3b shows the structure of one trans- 
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port stream packet. The packet header comprises 
9 fields, which will not be described in more detail 
here. Here we must observe the last field or the 
adaptation field, which plays an important role, as 
is described later. The PES packet bytes are in- 
cluded in the packet pay load. 

Let us consider how the PES packets of figure 
1 are placed in the transport stream packet _.of 
figure 3b. After the transport stream packet header 
there is first the PES packet header, which in- 
dicates the start of a new PES packet. Then the 
payload section is filled with PES packet bytes 
starting at the beginning of the packet. Then the 
operation moves to fill the next payload section 
with PES packet bytes. This is continued until the 
last PES packet bytes are placed in the last trans- 
port stream packet. If there are less bytes than the 
place reserved for the actual payload, then the 
r.eader adaptation part is filled with as many stuff- 
ing bits as are necessary to obtain the standard 
length of the transport stream packet. After the 
header of the next transport stream packet there is 
the header of the next PES packet, and after this 
the payload section where the bytes of this next 
PES packet are placed. Then the operation contin- 
ues to the next transport stream packet and filling 
its payload section, an so on. Here it must be 
observed that the border of two PES packets di- 
vided into the transport stream is never inside a 
transport stream packet, but a new PES packet 
always starts after the header of the transport 
stream packet, and the packet is ended so that its 
last bytes at the same time form the last bytes of a 
transport stream packet. 

In must be noted here that the longest PES 
packet could be several kilobytes, and thus several 
times longer than a transport stream packet of the 
fixed length (188 bytes). Thus the transport stream 
packets, figure 3, comprise PES packet sections of 
varying lengths. Because the PES packets con- 
tained in a program stream are divided rather 
straightforwardly into the packets of the frequency 
stream, one PES packet contained in the program 
stream is divided into very many transport stream 
packets. 

Depending on the application the digital bit 
stream may exist either as a program stream or a 
transport stream, or also in a form where the PES 
packets contained in the program stream are in- 
dependent entities. Video and audio signals have 
their own PES packets, whereby a program stream 
packet contains a varying number of packets in 
varying locations within the program stream. Be- 
cause there may arise situations in which, on the 
other hand, the digital information should be pro- 
cessed as a program stream, as PES packets, or 
as a transport stream, and in which on the other 
hand it is desirable to encrypt the bit streams in 



the form they happen to have in the respective 
application, then it is reasonable to be able to 
encrypt the bit streams on all respective levels. 
Then the encryption should have at least two alter- 
5 natives: 

1) encryption on the transport stream level, and 

2) encryption on the PES level. 

Because the transport stream level is the more 
common means to transmit and process data, it is 

70 reasonable that the encryption is as secure as 
possible at least on this level. Because the trans- 
port stream is divided into packets of fixed lengths, 
as was stated above, it is logical to have the data 
stream encryption on the transport stream level 

75 made as an operation which concerns single pack- 
ets. 

Because the length of the section to be en- 
crypted contained in the packets in the transport 
stream may vary, it is not possible to have a block 

20 encryption to encrypt directly the whole section to 
be encrypted, as its length very seldom comprises 
a multiple of the encryption block. Therefore prior 
art systems use as the encryption algorithm for the 
transport stream a combination of block encryption 

25 and a PRBS generator, with which it is possible to 
obtain a sufficient encryption security. By using a 
combination of these two algorithms it is possible 
to overcome the block size limitation imposed by 
the block encryption, because an encryption mul- 

30 tiple remainder can be encrypted only by the 
PRBS generator which can provide an accuracy of 
one byte regarding the length of the section to be 
encrypted. 

In the encryption on the program stream level 

35 or on the PES level the prior art systems will 
process packets of varying lengths which comprise 
sections to be encrypted of correspondingly vary- 
ing lengths. When the program stream or the in- 
dividual PES packets are directed into the transport 

40 stream, then the. PES packets have to be sliced 
pieces suitable for the transport stream. This 
presents at least the following problems: If the PES 
packet was encrypted on the program stream level 
or on the PES level, then during the encryption 

45 process it is not possible to know, expect in special 
cases, the sizes of the blocks into which the PES 
packet will be sliced. If block encryption is used for 
the entire PES packet, then the slicing operation 
most often will lead to a situation where the slicing 

50 will happen at a place within the encryption block, 
so that the encryption block is separated in two 
transport stream blocks. This in turn will lead to a 
complicated structure in the decryption device, be- 
cause sequential packets or at least packet sec- 

55 tions must be stored there in the internal memory 
in order to finish the decryption process. On the 
other hand it is desirable to use this decryption 
device to decrypt several sequential data streams, 
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and on the other hand the sequential packets of the 
same data stream will not be sequential in the 
transport stream. This will in turn lead to a situation 
in which the sequential packets or sections of these 
packets must be temporarily stored in memory in 
order to decrypt all packets in the transport stream. 
If the decryption device is realized according to 
this principle it will be unnecessarily complicated. 

In order to avoid the above mentioned prob- 
lems the following requirements must be satisfied 
when the data stream encryption is realized ac- 
cording to the MPEG standard: 

• It must be possible to encrypt the data 
stream on the program stream level and the 
transport stream level as well as on the PES 
packet level. 

• The encryption must by as secure as possi- 
ble. 

• The decryption must be realized as simply as 
possible within the limits set by the basic 
algorithms. 

The object of the process to use the encryption 
algorithms according to the patent claims is to 
satisfy all the requirements presented above. The 
process to use the encryption algorithms does not 
actually take a stand on the actual algorithms, but 
of course we select algorithms which are as secure 
as possible and which shuffle the bit stream as 
effectively as possible. 

According to the basic idea of the invention we 
use two different encryption algorithms simulta- 
neously, but on different levels according to the 
MPEG standard. One algorithm performs block en- 
cryption on one level, whereby the whole section to 
be encrypted must be a multiple of the block 
length. Accordingly the second algorithm performs 
the encryption on a second level with an accuracy 
of one byte, even one bit, using the PRBS al- 
gorithm. Below in the text we call this latter encryp- 
tion method byte encryption. When necessary we 
use the abbreviation TS for the transport stream. In 
addition to the basic method, which comprises 
simultaneous use of block encryption and byte 
encryption, the invention comprises several em- 
bodiments to perform the encryption. 

According to the first embodiment the encryp- 
tion is made on the PES level by using byte 
encryption, and on the TS level there is no encryp- 
tion. According to the second embodiment there is 
no encryption on the PES level, but on the TS level 
there is performed either a block encryption with 
an accuracy of a block or a partly double encryp- 
tion, which also comprises bytes outside the en- 
cryption block multiple. 

According to the third embodiment byte en- 
cryption is made on the PES level, and on the TS 
level there is performed block encryption with an 
accuracy of the block size or a partly double en- 



cryption comprising also the bytes outside of the 
block size multiple. 

The different embodiments of the invention are 
described below with reference to the enclosed 
5 schematic figures, in which: 

figure 1 shows a PES packet according to the 
MPEG-2 standard; 

figure 2 shows the principle of the program 
stream; 

10 figures 3a and 3b show the principle of the 
transport stream; 

figure 4 shows the encryption according to the 
first embodiment; 

figure 5 shows the encryption according to the 
15 second embodiment; 

figure 6 shows a chained block encryption of the 
TS packet; 

figure 7 shows the decryption of the chained 
block encryption of the TS packet; 
20 figure 8 shows a direct block encryption of the 
TS packet; 

figure 9 shows the decryption of the direct block 
encryption of the TS packet; 
figure 10 shows the encryption according to the 
25 third embodiment; 

figure 11 shows a combined byte encryption 
and block encryption; 

figure 12 shows the decryption of the encryption 
according to figure 1 1 ; and 
30 figure 13 illustrates how the block encryption 
and the byte encryption is made in the same 
process. 

Figure 4 shows how the encryption is made 
according to the first embodiment. The encryption 

35 is made on the PES level using byte encryption, 
i.e. a PRBS generator is used. The PES packet to 
be encrypted comprises a header PH, after which 
there is the information section P(N1) comprising 
N1 bytes. Here it should be observed that both the 

40 header length and the information section length, 
and thus the total packet length can vary within 
certain limits. The byte encryption is made only on 
the information section, and there is no reason to 
encrypt the header, because the decryption is 

45 made easier when the header is not encrypted. 
After the byte encryption the original PES packet 
has transformed into a packet comprising the origi- 
nal header PH and the information section P* (N1) 
which was transformed by the encryption algorithm 

50 and comprises N1 bytes, whereby all bytes of the 
information section were encrypted regardless of 
the lengths of the PES packet or the header sec- 
tion. 

Then the encrypted PES packets can be sliced 
55 and placed in the TS packets of a standard length, 
if required by the application. The slicing is made 
so that after the header HT1 of the first TS packet 
there is immediately the header PH of the PES 
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packet, and immediately after that so many encryp- 
ted bytes of the section P'(N1) are placed in the 
information section TV that the TS packet is filled. 
After the header HT2 of the next TS packet the 
process to fill the information section T2' with en- 5 
crypted bytes is continued. In the last TS packet 
the situation is most often such that the there are 
less encrypted bytes of the PES packet than the 
length of the information section Tn' would allow. 
The packet is made into the standard length by 10 
increasing the length of the header HTn. This is 
made so that the required number of stuffing bytes 
are added to the adaptation field of the header. TS 
packets generated in this way will not be further 
encrypted. is 

The embodiment of figure 5 differs from that of 
figure 4 in that no encryption is made on the PES 
level, but block encryption is made on the TS level. 
The encryption is made with an accuracy of the 
block size, or alternatively it is made as a partly 20 
double encryption, whereby bytes of a packet out- 
side the encryption block multiple can be encryp- 
ted. According to figure 5 the PES packet formed 
by the header HP and the information section P- 
(N1) comprising N1 bytes is sliced without encryp- 25 
tion into n TS packets, whereby each TS packet 
comprises a header (HT1... Htn) and an information 
section (T1...Tn), in which the N1 bytes of the PES 
packet are placed. The TS packets are made 
equally long by adding stuffing bytes in the header 30 
when required. Then a block encryption is made on 
the TS packets, either on the multiple of the en- 
cryption block or on the whole section to be en- 
crypted. The header blocks HT1 - Htn have varying 
lengths and do not belong to the region which is 35 
encrypted. But the remaining bytes belong to the 
region T1 - Tn to be encrypted, which after encryp- 
tion will be in the form TV - Tn', and each byte of 
these packets will be encrypted regardless of the 
length of the header section, if the encryption is 40 
partly made as double encryption, whereby also 
bytes outside the encryption block multiple can be 
encrypted. A part of the bytes will not be encryp- 
ted, if the encryption is made only with an accu- 
racy of the block size. This is due to the fact that 45 
the information part of each TS packet is not nec- 
essarily a multiple of the encryption block. It is to 
be noted that the TS packet as a whole has a fixed 
length, but the header may have a varying length. 

In the following we consider different means to 50 
make the block encryption. Figure 6 shows the 
functional principle of a so called chained block 
encryption. The section to. be encrypted of the TS 
packet is divided in blocks BO - Bn having a size of 
the encryption block, whereby the remainder R is 55 
shorter than the encryption block. The encryption 
device processes a whole TS packet at a time, and 
the encryption is started from the end, so that first 



the block Bn is encrypted by block encryption. The 
part 'Encrypt' performing the encryption generates 
an encrypted block Bn'. All block encryptors use a 
certain key to perform the block encryption, and for 
the sake of simplicity the key may be the same for 
all block encryptors. The remainder R will be 
moved without encryption to its own place in the 
encrypted TS packet. Bn' is moved through the 
XOR function of the block Bn-1 , and thus the block 
encryption of block Bn-1 has as input Bn' XOR Bn- 
1 . When we in the figure move towards the begin- 
ning of the TS packet's block to be encrypted, we 
will notice that the same operation is repeated for 
each block until we reach the beginning of the 
section to be encrypted. The header section 
HEADER is moved as such to the beginning of the 
encrypted TS packet. 

Figure 7 shows correspondingly how the en- 
cryption of figure 6 is decrypted, whereby the first 
encrypted block BO' is decrypted in the decryption 
block 'Decrypt 1 , and an XOR operation is per- 
formed on the result and the encrypted block BV, 
which at the same time produces the decrypted 
block BO. This result BO is at the same time the 
input of the next block decryptor. Correspondingly 
we move block by block until we reach the end of 
the encrypted section of the TS packet. The re- 
mainder R was not encrypted originally, so it is 
already decrypted. 

Figure 8 shows a so called unchained version 
of the block encryption in figure 6. In this version 
all blocks B0...Bn of the TS packet are encrypted 
separately, and it is not necessary to start the 
encryption from the end of the TS packet, but the 
encryption can be performed separately on each 
block. Starting from the beginning each block B to 
be encrypted is directed to the input of the encryp- 
tion block 'Encrypt', and then we obtain an encryp- 
ted block B', which is placed in the encrypted TS 
packet at the same place as the not encrypted 
block B. The remainder R is not encrypted. 

Figure 9 shows the decryption of the encryp- 
tion made by the method according to figure 8. 
The decryption is made in a way which is as 
straightforward as the encryption. In turn each en- 
crypted block B0'...Bn' is directed, starting from the 
beginning of the packet or from the block BO', to 
the input of the decryption block 'Decrypt', which 
at its output provides the original decrypted block 
B0...Bn, which is placed in the TS packet at the 
place of the corresponding encrypted block B\ The 
remainder R as such is placed directly to its place. 

The third embodiment of the invention accord- 
ing to figure 10 performs the encryption both on 
the PES level, where byte encryption is performed, 
and on the TS level, where block encryption is 
performed with an accuracy of the block size or 
alternatively partly doubled encryption is per- 
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formed, which also incorporates the bytes outside 
the multiple of the encryption block. The encryption 
according to this embodiment is thus a combina- 
tion of the encryption methods of the embodiments 
1 and 2. Thus we first perform a byte encryption 
on the PES packet PH + P(N1), and the PES packet 
PH + P'(N1) containing the encrypted bytes is 
sliced into TS packets. In this way we obtain on the 
PES level encrypted TS packets, the sections of 
which now will be encrypted were already encryp- 
ted on the PES level. Then we perform the same 
operations as in figure 5 on the TS packets already 
encrypted on the PES level. All bytes of the TS 
packet's section to be encrypted are encrypted 
irrespective of whether the operation is according 
to the block size or a partly doubled encryption. 

Figure 11 shows a practical way to realize the 
third embodiment shown in figure 10. The process- 
ing is first made on a whole PES packet of the 
program stream which is byte encrypted by the 
PRBS algorithm or a corresponding algorithm. The 
PRBS block means that at the input of the PRBS 
block there is an XOR operation on the number 
generated by the block itself. At the beginning of 
the PES packet the PRBS algorithm is initialized 
with an INIT initializing number, and then the PES 
packet is processed byte by byte, proceeding to 
the end of the whole PES packet. The initialization 
is made utilizing an encryption key in one way or 
another. Then the PES packet is sliced into TS 
packets for the transport stream, each TS packet 
getting its own header HT. If the combined length 
of the headers of the TS packet and the PES 
packet exceeds the last part of the TS packet, then 
after the first TS packet header and possibly also 
after the second TS packet header there is further 
included also PES packet header information, so 
that all those bytes which are outside the TS pack- 
et header do not belong to the region to be encryp- 
ted. In any case the PES packet encrypted with the 
PRBS algorithm is sliced into TS packets so that a 
plurality of TS packets are obtained from one PES 
packet, each TS packet having a header, several 
encrypted blocks BO' - Bn\ and an encrypted re- 
mainder R\ These TS packets are then encrypted 
according to the chained encryption of figure 6, 
whereby the result is a plurality of encrypted 
blocks BO" - Bn" and an encrypted remainder R\ 

The keys are transmitted from the encrypting 
device to the decrypting device in the digital bit 
stream, and the transport messages of the keys are 
encrypted by their own algorithms. All 'Encrypt* 
and 'Decrypt' blocks usually use the same key. 
This same key is also used in the initialization 
(INIT) of the PRBS block. Even if the same keys 
are used in both the block encryption and the byte 
encryption according to figures 10 and 11 when the 
combined block and byte encryption is performed, 



there are four possibilities to use the encryption 
keys: 

1 . The byte encryptor uses the same key as the 
block encryptor; 
5 2. The byte encryptor and the block encryptor 
use different keys; 

3. The blocks of the block encryptor have the 
same keys available; and 

4. The blocks of the block encryptor can use 
io different keys for all blocks, if this is considered 

necessary. 

The operator can select which option to use, based 
on his/her own requirements. 

Figure 12 shows the decryption of the encryp- 

75 tion according to figure 11. The TS packets are 
first decrypted as is shown in figure 7. As a result 
we obtain blocks which are still encrypted by the 
byte encryption. Therefore each block BO 1 - Bn' 
and the remainder R' encrypted by the PRBS 

20 algorithm are further decrypted according to the 
PRBS algorithm so that we obtain the original TS 
packet. The initialization of the PRBS packet is 
made only at the beginning of the PES packet. 
Figures 10 and 11 show how the encryption is 

25 made first on the PES packet, which then is sliced 
into TS packets and finally the TS packets are also 
encrypted by block encryption. These two encryp- 
tions can be performed in one process shown in 
figure 13. According to this process the PES pack- 

30 ets are first sliced into TS packets in the way 
described above. Then both the byte encryption 
and the block encryption are performed in one 
process. The advantage of this arrangement is that, 
if required, the encryption can be made at the 

35 same time in the encryption device. The initializa- 
tion of the PRBS algorithm, which utilizes an en- 
cryption key, is made at the beginning of the PES 
packet. The PRBS block means that in the input of 
the PRBS block there is an XOR operation on the 

40 number generated by the block itself. The data 
stream encrypted according to figure 13 can be 
decrypted in the way shown in figure 12. 

When the encryption is made on the TS level 
we can select whether to encrypt all bytes outside 

45 the TS packet header, or to leave also the header 
of the PES packet outside the TS packet encryp- 
tion. It is preferred to not encrypt the headers of 
the PES packet and the TS packet. Then the 
encrypted packet can be easily processed in the 

so encrypted form, without having an intermediate de- 
cryption of the packets. 

Figures 6 to 9 and 11 to 13 show the blocks 
'Encrypt' and 'Decrypt* of the block encryption and 
the block 'PRBS' of .the byte encryption. It must be 

55 noticed that block encryption keys and byte en- 
cryption keys are essential to these operations. All 
'Encrypt' and 'Decrypt' blocks usually use the 
same key. This same key is also used when the 

7 
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PRBS block is initialized (INIT). The keys are trans- 
mitted from the encrypting device to the decrypting 
device within the digital bit stream, and the trans- 
port messages of the keys are encrypted by their 
own algorithms. 

According to the basic idea of the invention the 
encryption is made either on the PES packet level, 
on the TS packet level, or on both levels. The 
decryption made in the receiver is the inverse 
process to the encryption and according to the 
above a person skilled in the art can realize it in a 
clear-cut manner. From certain bits in the header of 
the TS packet the decryption device in the receiver 
will know on which level the decryption is made 
and which encryption method is used, and then it 
can select the correct decryption algorithm. Be- 
cause the header of the PES packet follows the 
header of the TS packet this header can also 
contain the information about the encryption meth- 
od if the encryption is made only on the PES level. 
A practical advantage of the invention is that all 
different encryption methods can be realized by he 
same device arrangements both in the receiver and 
in the transmitter. Although the byte encryption and 
the block encryption are different and require their 
own circuits arrangements, with suitable arrange- 
ments the circuit can be made to operate accord- 
ing to either encryption method or as a combina- 
tion of these. When the encryption according to the 
third embodiment is decrypted the block decryp- 
tion and byte decryption is made on the TS pack- 
ets already before they are decomposed into PES 
packets. The encryption method according to the 
first embodiment of the invention can be used in 
such applications where only PES packets are 
available at the transmitting end, but the transmis- 
sion should be encrypted in any case. 

Claims 

1. A process for encryption of a bit stream con- 
taining digital video, audio and data informa- 
tion, whereby the bit stream is formed by 
forming each information into packets compris- 
ing a first header and a first information section 
formed by information bytes, whereby for the 
transmission each packet is divided into sec- 
ond information sections of transport stream 
packets of a fixed length, whereby a packet 
may be divided into several information sec- 
tions of the transport stream packet, char- 
acterized in that 

- in the encryption of the packets a first 
encryption key is used in a bit or byte 
based encryption algorithm, whereby the 
encryption is made with an accuracy of 
one bit or one byte at a time, and 



- in the encryption of transport stream 
packets a second encryption key is used 
in a block based encryption algorithm, 
whereby the encryption of the section to 
5 be encrypted is made by blocks which 

contain several bytes of a transport 
stream packet. 

2. The process of claim 1 , characterized in that 
70 the encryption is made only on packets or 

parts of the packets, but the transport stream 
packets are not encrypted. 

3. The process of claim 1 , characterized in that 
75 the encryption is made only on a transport 

stream packet or a part of it, but the packets 
are not encrypted. 

4. The process of claim 3, characterized in that 
20 the transport stream packet is block encrypted 

and further also encrypted on a bit or .byte 
basis. 

5. The process of claim 1 , characterized in that 
25 both packets and transport stream packets or 

their parts are encrypted. 

6. The process of claim 1 or 5, characterized in 
that the block encryption of the transport 

30 stream packets is performed only on that sec- 

tion of the packet to be encrypted which has a 
length of the encryption block multiple. 

7. The process of claim 1 , 3 or 5, characterized 
35 in that the block based encryption algorithm is 

used over the whole section to be encrypted, 
so that first a number of bytes corresponding 
to a multiple of the encryption block is encryp- 
ted, and that during the second encryption 
40 phase a multiple of the encryption block is 

formed by performing the encryption also both 
on bytes of a section shorter than the block 
length and on a desi/ed number of bytes of the 
section already once encrypted. 

45 

8. The process of claim 1 or 2, characterized in 
that the packet encryption algorithm is the 
PRBS algorithm (Pseudo Random Bit Se- 
quence) known perse. 

50 

9. The process of claim 1 or 2, characterized in 
that the packet encryption algorithm does not 
limit the length of the section to be encrypted, 
but that it can be of any length with an accu- 

55 racy of a byte or a bit. 

10. The process of claim 2, characterized in that 
the packet header is not encrypted. 
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11- The process of claim 1, characterized in that 
information about whether the packets, the 
transport stream packets or both are encrypted 
is included in the transport stream packet 
header. 

12. The process of claim 1, characterized in that 
the packet header and the transport stream 
header are not encrypted. 

13. The process of claim 4 or 5, characterized in 
that the first and second encryption keys are 
the same. 

14. A process for decryption of a bit stream com- 
prising digital information, whereby the bit 
stream is formed by forming each information 
into packets comprising a first header and a 
first information section formed by information 
bytes, whereby for the transmission each 
packet is divided into second information sec- 
tions of transport stream packets of a fixed 
length, whereby a packet may be divided into 
several information sections of the transport 
stream packet, characterized in that 

- from the transport stream packet headers 
it is identified whether the packets, the 
transport stream packets or both are en- 
crypted, 

- in the decryption of the packets there is 
used a decryption algorithm on a bit or 
byte basis, whereby the decryption is 
made with an accuracy of one bit or one 
byte at a time, and 

- in the decryption of the transport stream 
packets there is used a decryption al- 
gorithm on a block basis, whereby the 
encrypted section is decrypted one block 
at a time, the block containing several 
bytes of a transport stream packet. 

15. The process of claim 14, characterized in 
that when both the packets and the transport 
stream packets are encrypted then their de- 
cryption is made in one process which pro- 
cesses at most one block of the block encryp- 
tor at a time. 

16. The process of claim 14, characterized in 
that when it is identified from the transport 
stream packet header that the block encryption 
algorithm covers the length of the second in- 
formation section, then first a number of bytes 
corresponding to a multiple of the decryption 
block is decrypted once, and in a second 
decryption phase a multiple of the decryption 
block is formed so that the decryption includes 
both bytes of a section shorter than one block 



and a desired number of bytes from the region 
already once decrypted. 

17.. The process of claim 14, characterized in 
5 that the decryption is not made on the packet 

header or transport stream packet header 
which is not encrypted. 

18. A device to encrypt a received bit stream 
10 comprising digital information comprises 

means to form packets of a first information 
section comprising a first header and informa- 
tion bytes of each kind of information, means 
to slice for transmission each packet into see- 
rs ond information sections of transport stream 
packets of a fixed length, the transport stream 
packets comprising a second header and said 
second information section, whereby the pack- 
et can be divided into several information sec- 
20 tions of the transport stream packet, char- 
acterized in that it further comprises: 

- means to encrypt the packets using a 
first encryption key with a bit or byte 
based encryption algorithm, whereby the 

25 encryption is made with an accuracy of 

one bit or byte at a time; and 

- means to encrypt the transport stream 
packets using a second encryption key 
with a block based algorithm, whereby 

30 the section to be encrypted is made on a 

block comprising several transport 
stream packets at a time. 

19. A device to decrypt a received bit stream 
35 comprising digital information, the stream be- 
ing provided by forming packets of each in- 
formation, the packets comprising a first in- 
formation section comprising a first header and 
information bytes, by dividing each packet for 

40 transmission into information sections of trans- 

port stream packets of fixed length, the trans- 
port stream packets comprising a second 
header and said second information section, 
whereby the packet can be divided into several 

45 information sections of the transport stream 

packet, characterized in that it comprises 

- means that identifies from the transport 
stream packet header information wheth- 
er the packets, transport stream packets 

50 of both are encrypted, and that further 

identifies the used encryption keys; 

- means to decrypt the packets with a bit 
or byte based decryption algorithm, 
whereby the decryption is made with an 

55 accuracy of a bit or a byte at a time, 

- means to decrypt the packets with a 
decryption algorithm based on blocks, 
whereby the encrypted section is de- 
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